The NSMB Hacking Domain

Pages: 1

Myria

Posted on 05-13-18, 12:35 am in Nintendo DS dev hardware! IS-NITRO-EMULATOR & co. (rev. 1 by Myria on 05-13-18, 12:43 am)

Link
ID: 61705
+1

Karma: 26
Posts: 1/1
Since: 05-13-18

Posted by Dirbaio

Posted by Gericom

Cool! Nice found. So this is data that is only needed on an actual cartridge and not on the is-nitro-emulator appearently. Is it known what the exact purpose of that data is?

From what I understand, the DS encryption generates some data tables from the gamecode, then uses them to encrypt/decrypt commands. This data is what's in the rom at 0x1600 and 0x1c00.

It looks like you've discovered all this too =)

An implication of this discovery is that it implies that almost all DS cartridge dumps are bad. The rare exceptions are Contra 4 prototype (as you discovered) and Virtual Console titles. Retail carts have the game-specific Blowfish tables at 1600-1647 and 1C00-2BFF, but there is no known way to dump them. Attempting to read this area on cartridges will just return mirrors of other parts of the ROM. Both retail and dev DS carts have this behavior.

We can't simply regenerate the data. While 1600-1647 and 1C00-2BFF are algorithmically generated, 1000-15FF, 1648-1BFF and 2C00-2FFF appear random with no known source. If you corrupt these seemingly unused areas of a cartridge and flash it to a dev cartridge, the dev cartridge still works. The random garbage might be chaff to make it less likely that hackers found it. But the annoying part is that it means we can't simply generate this data and attach it to existing dumps.

However, a ray of hope exists: if you flash a cartridge with corrupted unused data, it will work fine, but if you then ask the IS-NITRO-EMULATOR (etc.) to verify the dump, it will say that the flash is bad. Try again with the hacked image and it will say that it's correct. In other words, something is able to read the security data.

This is not visible in the USB communication with the IS devices. Whatever is happening has to be on the device's side. I don't have the electronics know-how to set up a logic analyzer on the cartridge protocol bus to see what's involved with verifying.

It's quite possible that only dev cartridges respond to whatever the IS devices are sending. But this is a ray of hope for correct dumps.

One more thing I should mention: DSi-enhanced games have a second security data block, before the second secure area. The data that the IS dev software burns to DSi flash carts for NTRJ does not have the Blowfish tables - something on the cartridge or IS device must be munging it. The actual format is the same, relative to the beginning of that area: Blowfish tables at +0600-+0647 and +0C00-+1BFF and byte pattern at +2000-+2FFF. The Blowfish tables are generated slightly differently, but GodMode9 has the correct algorithm.

Pages: 1