#112598 - bobmcbob - Mon Dec 18, 2006 11:44 am
Hi,
I rather foolishly it seems bought a Ninjapass x9 slot-1 based card.
Homebrew is barely supported but I made a small loader to enable some to boot.
Anyway, now i want to pick up a super card or something, so i need the x9 to act as a passme.
I got hold of a firmware dump of an old ninjapass thingy and managed to reverse most of it and I have reimplemented the code and it is below.
To test this I have an nds homebrew burnt onto a ezflash 128mb which works fine in my friends flashme'd DS.
(I have a DS-Lite if that makes any difference)
The code doesnt appear to work at teh moment and im wondering if it is because I am missing something?
The firmware dump i peeked at was huge but only seemed to contain two really small sections of code that do exactly what I expected a passme to do. Im very new to the DS so I may have got things confused.
Anyway the arm7 code is here:
And the ARM9 Code.. :
Any ideas/hints/clues/pointers or more information on what is needed would be great.
Thanks
I rather foolishly it seems bought a Ninjapass x9 slot-1 based card.
Homebrew is barely supported but I made a small loader to enable some to boot.
Anyway, now i want to pick up a super card or something, so i need the x9 to act as a passme.
I got hold of a firmware dump of an old ninjapass thingy and managed to reverse most of it and I have reimplemented the code and it is below.
To test this I have an nds homebrew burnt onto a ezflash 128mb which works fine in my friends flashme'd DS.
(I have a DS-Lite if that makes any difference)
The code doesnt appear to work at teh moment and im wondering if it is because I am missing something?
The firmware dump i peeked at was huge but only seemed to contain two really small sections of code that do exactly what I expected a passme to do. Im very new to the DS so I may have got things confused.
Anyway the arm7 code is here:
| Code: |
|
.arm .global _start _start: ldr r0, ADDR1 @ Memory address to check ldr r1, GBA @ GBA cart space loop1: ldr r2, [r0] @ Load value at mem, (written to by arm9) cmp r2, r1 bne loop1 mov r0, #65536 @ For a loop to give us time to get teh stuff sorted mov r1, #0 loop2: add r1,r1, #1 @ r1=r1+1 cmp r1, r0 @ bne loop2 @ Basically a little sleep loop bx r2 @ R2 should contain the GBA address offset ADDR1: .word 0x027ffe34 GBA: .word 0x080000c0 |
And the ARM9 Code.. :
| Code: |
|
.arm .global _start _start: ldr r0, ROM_TITLE @ store some value in amongst rom title? ldr r1, UNKNOWN_V str r1, [r0] ldr r0, AUTO_START @ Set teh auto start bit mov r1, #4 strb r1, [r0] ldr r0, A9_ROM_OFF @ Clear the ARM 9 rom offset mov r1, #1 strb r1, [r0] ldr r0, A9_RAM_ENTRY @ Set A9 Entry point into rom header (has been cleared) ldr r1, ROM_TITLE str r1, [r0] ldr r0, A7_ENTRY @ Set ARM7 Entry to GBA and SOFT RESET ldr r1, GBA_ADDR str r1, [r0] swi 0x00000000 @ Call arm9 bios func SWI softreset A7_ENTRY: .word 0x027ffe34 A9_RAM_ENTRY: .word 0x027ffe24 A9_ROM_OFF: .word 0x027ffe22 AUTO_START: .word 0x027ffe1f ROM_TITLE: .word 0x027ffe04 GBA_ADDR: .word 0x080000c0 UNKNOWN_V: .word 0xe59ff018 |
Any ideas/hints/clues/pointers or more information on what is needed would be great.
Thanks