Pages: 12345 »
Posted on 05-02-18, 10:40 pm (rev. 3 by  Dirbaio on 05-15-21, 12:35 am)
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9979
Posts: 4407/4456
Since: 06-08-11
I recently came across an auction from a bankrupt Spanish video game development company. They had tons of cool rare development hardware, among it Nintendo DS development ones! Of course I had to get some

I've been playing with them, trying to get them working and do useful stuff. I thought I should document publicly what they do, instead of just shelving them away as collectibles like most people seem to do.

It's really cool because they have very interesting ROM hacking applications

EDIT: I'm selling one IS-NITRO-EMULATOR! 230 EUR + shipping, PM me for details. sold

Rewritable flash cards




These act like regular Nintendo DS game cards, except they can have ROMs written and rewritten to them, using the IS-NITRO-EMULATOR or the IS-NITRO-WRITER.

If you open the top half, they have a "sub-card" inside, which is the backup memory (for saved game data). They're swappable because there are several types and sizes of backup memory (EEPROM and Flash), and the game developers needed to test with cards with the right type of backup memory. The main cards and the sub cards were sold to devs separately so they could choose the backup memory type and swap it themselves.

Having the right sub card is important if you want to run a commercial ROM that needs a particular backup memory type and size.

IS-NITRO-EMULATOR



This is the "main" Nintendo DS development kit. Devs used this to test and debug their games. You can boot a ROM in it and then debug it, put breakpoints in the ASM code, view and edit the RAM, etc.

The name "EMULATOR" comes from the fact it emulates the DS game card: it has extra hardware that makes the NDS CPU believe it's reading stuff from a game card, but it's in fact reading from some special RAM inside it that can be written to using its PC software.

Interestingly the backup memory is passed through to the real card plugged in to the SLOT-1. This is probably because the entire gamecard SPI bus is passed through, probably so devs can use real cards that have extra fancy hardware in the SPI bus like some games do.



Overview of the thing. Front panel has 3 LEDs: "SYSTEM1", "SYSTEM2" and "POWER". A cable comes out of it to a regular-looking DS, except its SLOT-1 and SLOT-2 are unusable (SLOT1 has the cable, SLOT2 is glued shut).
- SYSTEM1: Indicates SLOT-1 is on
- SYSTEM2: Indicates SLOT-2 is on
- POWER: Power, duh.

The top has the SLOT-1 and SLOT-2.

Back panel has:
- Power switch
- Power input (12V DC, it uses the same power connector and adapter as the GameCube)
- DIP switches
- USB
- 2 video outs (same video connector as GameCube). They only work if the IS-NITRO-EMULATOR has the "Video" option.
- "Wireless" wired ethernet jack. You can connect two IS-NITRO-EMULATORs with an ethernet cable to simulate wifi connectivity between them. IS-NITRO-EMULATORs that have the Wireless option can use real wifi, and toggle between them with a DIP switch.

The "wired wireless" is interesting, and is a recurring theme in Nintendo devkits. I guess it's to prevent interference/saturation if you have 100 developers in a single office with 100 of these, all using wifi at the same time to test their games. Wii and WiiU devkits also have wired coaxial cables between the devkit and the remotes, for example.

Options

Devs could buy these with different optional features, at different prices. They have a sticker on the bottom with the purchased options.

- "USG": attached controller is DS lite, not old DS "phat".
- Video: Allows using video out
- Wireless: Can use real wireless and not "wired wireless". The ones that have this have this black flat protrusion at the top, which contains the wifi antenna (If it was inside the blue box it wouldn't work due to it working as a Faraday cage)

DIP switches
There are 8 DIP switches at the back. This is what they do:
  • Switch 1: if ON, it turns on the debugging serial port (see teardown pics later). According to manual: "not used, set to OFF"
  • Switch 2: According to manual: "not used, set to OFF". Setting it to ON makes the PC software complain and refuse to work...??
  • Switch 3: According to manual: "not used, set to OFF". Setting it to ON causes DS to not power on, "SYSTEM1" led flashes forever, PC software complains??
  • Switch 4: Firmware factory reset. When setting this to ON and turning on the thing, all 3 front LEDs turn on, then after ~20 seconds, SYSTEM1 LED turns off, presumably indicating the "firmware restore" is done. You then have to set the DIP switch back to OFF, then turn off and on the thing. This seems to reset the V850 CPU firmware (See teardown). After doing this and trying to use the PC software, it will prompt you to upgrade the firmware. It does not erase the DS firmware settings (name, favorite color, etc...)
  • Switch 5: OFF = uses wired "wireless". ON = uses actual wireless, if your unit has wireless option.
  • Switch 6: "Used to set the color of the outside of the LCD Screen, on images output by the AV Cable. Set to OFF for black and ON for gray."
  • Switch 7: "When set to ON, the DS Upper Screen and Lower Screen are output as a single image from AVOUT1. When set to OFF, the upper screen is output from AVOUT1"
  • Switch 8: "When set to ON, the DS Upper Screen and Lower Screen are output as a single image from AVOUT2. When set to OFF, the upper screen is output from AVOUT2"


Power on

Plug it in, power it on. It boots to the regular DS firmware menu like a regular DS. You can pictochat and Download Play and all.

Putting a game card in doesn't work (firmware still shows "no DS card inserted"). This is because it doesn't read from the real plugged in game card, but from the emulated one. You need the PC software to write a ROM to the emulated game card and actually run something in it.

Installing the software on Windows 10
Since it's copyrighted, same rules apply as posting ROMs, so I won't post a link. But finding it is easy if you know how to google .

It's tricky to get working on Windows 10 because it needs a special driver that's not digitally signed. You have to disable "driver signature enforcement" this way:

- Click the Start Start menu and select Settings.
- Click Update and Security.
- Click on Recovery.
- Click Restart now under Advanced Startup.
- Click Troubleshoot.
- Click Advanced options.
- Click Startup Settings.
- Click on Restart.
- On the Startup Settings screen press 7 or F7 to disable driver signature enforcement.

Once this is done, you're ready to install and use the software:

- Right-click installer exe, go to Properties
- Compatibility
- Run in Windows XP compatibility mode
- Run the installer
- Follow instructions. You'll get prompted two times to install drivers, you have to click "Install anyway".
- Done!

This is how the PC software looks like. This is when hitting a breakpoint and doing some single stepping. Can you recognize what code is this??


Running a ROM

Commercial ROMs have to be encrypted for this to work! Pretty much all ROM you'll find out there are already decrypted for you, so you need to encrypt them back.

The best way to do this is with ndstool from devkitPro. ("endrypts advanced", the other tool around for this, seems to work okay for running ROMs but not for writing them to dev cards, so I recommend you use ndstool.)

Open a terminal, then run:
ndstool -se my_rom_file.nds

Homebrew ROMs don't care if they're encrypted or not because they don't use the ARM9 binary at 0x02000000 - 0x02000800, which is the region affected by encryption.


- Go to File -> Load file
- Select "SRL" in the left list
- Select the .nds ROM file (you have to select "All Files", alternatively rename your ROM to *.srl)
- Check "Execute both processors" and "Do hardware reset"
- Go!

If your ROM requires backup hardware (game save info), you will need to insert a dev card with the right type of save memory (EEPROM vs flash, and right size). From the PC software you can then click the toolbar button "Turning the power on/off of the DS card slot", which will turn on SLOT-1. "SYSTEM1" LED should turn on to indicate SLOT-1 is on.

Writing a ROM to a dev flash cards



You can write a ROM in a dev flash card, which then works in regular DSs like a real Nintendo DS commercial game! You can write your ROM hack to it, for example! This is the closest you can get to having your ROM hack in real DS game cards.

- Insert a dev flash card in SLOT1.
- Run the ROM (see above)
- Go to Tools -> DS Flash Card
- Click Identify, then Start.
- Wait a loooooooong time
- Check and pray the card works on a regular DS.

Getting this to work is fiddly, I'm still figuring out what works and what doesn't. Sometimes changing the game code to "NTRJ" makes it work, especially for homebrew that has "####" as game code, which the DS firmware doesn't seem to like.

If you edit the ROM header don't forget to fix the header CRC. You can do so with "ndstool -f".

====================

Coming soon: Teardown, open source Python driver to load ROMs, and more nice hardware!
Posted on 05-02-18, 11:17 pm
(Words)

Karma: 730
Posts: 177/265
Since: 01-03-16
No way, this is amazing.
Rom hacking has truly come full circle now, I've never seen so much information for this kind of stuff so this is an incredible find.

So did those Flash Cards come with Camp Rock or where they completely wiped clean? I feel like we'd be at a loss if it didn't come with it.
_________________________
"I strikingly thought you would know how but it clearly seems you have no knowledge of hacking" - MiiU 2017
Posted on 05-02-18, 11:23 pm
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9979
Posts: 4408/4456
Since: 06-08-11
Some came with prototype/unfinished games, yes. Some others came with nothing.

I've dumped them, but I'm not sure how/if to share though because copyright stuff.

I've also got DSi gamecards and debugger units, some contain protos too but they can't seem to be dumpable with DS dumping tools, help welcome.
Posted on 05-02-18, 11:47 pm
(Words)

Karma: 730
Posts: 178/265
Since: 01-03-16
I would think protos are in the grey area for copyright but I wouldn't know either.

As for the DSi ones, I would believe that using Decrypt9 and TWLSaveTool on a 3DS with CFW could work...?
_________________________
"I strikingly thought you would know how but it clearly seems you have no knowledge of hacking" - MiiU 2017
Posted on 05-02-18, 11:58 pm
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9979
Posts: 4409/4456
Since: 06-08-11
Posted by TruelyJohn64
As for the DSi ones, I would believe that using Decrypt9 and TWLSaveTool on a 3DS with CFW could work...?


Yeah... I'm trying to get hands on a 3DS to do that as I don't have one myself

Interestingly some of the DSi cards contain DS software (they work if you boot them on a regular DS) so they should be dumpable on a DS, but it doesn't work...
Posted on 05-02-18, 11:59 pm
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9979
Posts: 4410/4456
Since: 06-08-11

IS-NITRO-EMULATOR teardown



Let's crack it open to see what's inside!
This teardown is of an IS-NITRO-EMULATOR of the DS phat variant, without wifi or video options.

Opening it up


The thing opens up easily, removing screws on the sides and the back. Removing two screws at the bottom side allows you to remove the front plate. Then, removing more screws allows you to pop put the entire stack of boards. There are 4 main boards on this thing stacked together which is quite a lot!

Two boards have heatsinks for the power supply transistors, with grey gooey thermal pads that contact the bottom of the case for better thermal dissipation.

There are 4 boards. From front to back they are:
- DS CPU board
- Video board
- Main CPU board
- Card emu board

They all have big connectors between them that join when sandwitched together, plus there's a huge flat colorful cable between the DS CPU board and the card emu board at the side.

NDS CPU board


This seems to be a special bigger version of the full Nintendo DS hardware. It has the DS CPU chip in it, and the conenction to the controller.

The sub-board has space for the Wifi chip, which is not there because this unit does not have the wifi option.

Video board


This board seems to be for handling the video out. It has one nice big FPGA

Interestingly it's fully populated even if this unit doesn't have the video option, which makes me wonder if it's simply a software restriction. In that case it could theoretically be possible to enable it via firmware hacks.

Control CPU board


This board has a NEC D703103AGJ CPU, which seems to be the central brain of the system.
- it controls the USB communications (chip on bottom left is an USB controller)
- Status LEDs
- DIP switches
- Main power supply, with the power switch.

It has a serial port at the top white connector. Baud rate 115200, 8 bits, no parity bit, 1 stop bit. It spits out debug information when booting with DIP switch 1 set to ON. Typing into it seems to do nothing (it's not an interactive console, aww...). It is 3.3v. I don't know if it's 5V tolerant, so be VERY careful what serial adapter you use here.

I don't know what the connector on the left is. Maybe JTAG?

Gamecard emulator board


This board does all the gamecard emulation with two huge FPGAs.

The 256MB RAM stick is where the emulated ROM image is stored when you load it from the PC software. Interestingly, it's the same form factor as laptop RAM (SODIMM), but it's SDRAM, unlike regular computer RAM like DDR3 or DDR4.

It has 1 relay for the GBA slot and 2 relays in the NDS slot sub-board (the black tall rectangles). These are the things that audibly "CLICK!" when you turn on or off the slot1/2 power from the software!

DS controller


This is the insides of the DS "controller". It's 100% dumb, it has no CPU, it's not a real DS! It receives the screens video from the huge cable and sends back the buttons and touch input.

The whole cable and the connection seems to be very well shielded from EMI (with the copper sheet you see)

TODO: Post pics of the NDS case. It is a regular DS case, with some extra ad-hoc modifications to fit the PCB at the top when the cable comes out.
Posted on 05-03-18, 04:40 pm
Buzzy Beetle


Karma: 928
Posts: 224/392
Since: 11-20-15
Posted by Dirbaio
Some came with prototype/unfinished games, yes. Some others came with nothing.

I've dumped them, but I'm not sure how/if to share though because copyright stuff.

I've also got DSi gamecards and debugger units, some contain protos too but they can't seem to be dumpable with DS dumping tools, help welcome.


Were there any other games? If so, which games were there?
_________________________
Posted on 05-03-18, 07:18 pm
Giant Paratroopa
Cream Cheese King

Karma: 2140
Posts: 50/1379
Since: 04-24-18
I like seeing this kind of stuff, especially when this stuff rarely can be found at thrift stores, old game stores like disc replay!
_________________________


Discord Server 1 - Discord Server 2 - Youtube Channel
Posted on 05-04-18, 08:05 pm
Goomba


Karma: 120
Posts: 29/31
Since: 03-27-14
Could this be used to make better software emulators? O•O

Or am I stupid and that's not how this works
Posted on 05-05-18, 12:42 am
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9979
Posts: 4411/4456
Since: 06-08-11
Posted by Ambiance 69
Were there any other games? If so, which games were there?


Hello Flowerz!, Imagine: Fashion Designer, Imagine: Cooking Something Something. The games are pretty meh. The gadgets came from this company's bankruptcy: https://www.elconfidencial.com/tecnologia/2016-07-06/virtual-toys-videojuegos-ere-despidos_1227682/ (news article in spanish)

Posted by LakituGames
Could this be used to make better software emulators? O•O


Well the "emulator" name is misleading, it's an actual hardware DS, not emulated. The "emulator" name refers to the fact that it emulates the slot-1 game card.

It's not directly useful for coding DS emulators.

-----

By the way, I'm selling one IS-NITRO-EMULATOR. 230 EUR + shipping, PM me for details.
Posted on 05-05-18, 02:40 pm (rev. 10 by  SGC on 05-05-18, 02:55 pm)
Red Paragoomba


Karma: 198
Posts: 31/51
Since: 01-21-16
I have an IS Nitro Emulator as well, I use it to test my MKDS CTs directly from my PC.
They're very useful for figuring out crashes, and the like.
My model is the DS Lite version without wireless.

Also, Gericom tested the video output a few months back.
It is indeed a software restriction, and he made a program that activates it. All units have this feature, even if they claim not to.
It's kind of weird that Nintendo put something like that behind a 400 dollar pay wall.
It's also a bit obvious it's a software restriction, since if you plugin an AV Cable into a unit without video output enabled, such as my own, you can hear sound output from the television, as Geri, and I found out when he asked me to test his program with him, since he didn't have any GC AV Cables to use with his own unit.

I got my unit off of ebay for 180 bucks with the help of a friend.
I bought my unit from hard4games back in December.

Although, my own unit seem as though it had never been used before, as if it were simply taken out of the packaging it first came in, since they were no scuffs, or scratches on the controller at all, and what seems to be a temporary cover on the bottom screen meant to be taken off after the unit has been taken out of it's original packaging.
_________________________
MKDS Hacking & Modding Server:
https://discord.gg/KhETqr7
Posted on 05-05-18, 03:40 pm
Mariomaster

Karma: 8528
Posts: 1194/1681
Since: 06-09-12
Oh this is interesting. I will soon have one of these too (DS Lite/wireless/no video).

I thought there was an optional 4th board in the unit that is responsible for video output. Would be great if you could link me the tools or some more information about unlocking the thing

Nintendo actually now only has a single type of 3ds devkit and all the different features are unlocked via buying different software licenses.


_________________________
GitHub - Kuribo64 - YouTube
Posted on 05-05-18, 04:18 pm (rev. 3 by  SGC on 05-05-18, 05:02 pm)
Red Paragoomba


Karma: 198
Posts: 32/51
Since: 01-21-16
I'll have to ask Gericom if I can share the video enabler, but I'll see what I can do.

Gericom already researched a big chunk of the firmware too, and documented some of the internal registers, as well.
He also figured out how the wired Wi-Fi works.

Alright, here's a link to the ISNE video enable I got permission to share it from Gericom:
https://cdn.discordapp.com/attachments/198838764900974592/411538663042711562/Debug.zip
https://cdn.discordapp.com/attachments/198838764900974592/411544282978320386/Debug.zip

To use it, just double click the program while the ISNE is running, what you see on the TV may differ depending on if the AV cable
is pluged into AV Out 1, or AV out 2.

Geri made multiple versions of the program that show different screen configuration on either of the out puts.

The one in the first link in particular out put the Top, and bottom screen out of AV Out 1, forgot what it out puts with AV Out 2.

The second on out puts on the top screen on both AV outs, iirc.


_________________________
MKDS Hacking & Modding Server:
https://discord.gg/KhETqr7
Posted on 05-06-18, 03:48 am
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9979
Posts: 4414/4456
Since: 06-08-11
Posted by SGC
I got my unit off of ebay for 180 bucks with the help of a friend.
I bought my unit from hard4games back in December.

Although, my own unit seem as though it had never been used before, as if it were simply taken out of the packaging it first came in, since they were no scuffs, or scratches on the controller at all, and what seems to be a temporary cover on the bottom screen meant to be taken off after the unit has been taken out of it's original packaging.


Oh my god, 180 bucks for a shiny new one is an awesome deal, lucky you! All the ones I have are very used. Minor scratches and dirtiness, but most are in good condition.

I got a DS phat one that had the broken hinge. it's the one in the teardown pics actually. I figured I might disassemble that one in case I broke it, but thankfully disassembly and reassembly is quite easy and it worked just as well when reassembling it.

I tried to swap the case with a regular DS phat, but they made minor modifications to fit the PCB and huge cable and connector. (Note to sel: post the pics)

Posted by RicBent
Nintendo actually now only has a single type of 3ds devkit and all the different features are unlocked via buying different software licenses.


I'm not so sure about that, the one I got seem to be missing the video board entirely,
the back has holes covered with a plate. Pic of the back



Oh my god, this is amazing! I gotta try this out asap, I need to get GC video cables tho
Posted on 05-06-18, 09:54 am
Mariomaster

Karma: 8528
Posts: 1198/1681
Since: 06-09-12
IIRC what I read was about the SNAKE units (new 3ds).
_________________________
GitHub - Kuribo64 - YouTube
Posted on 05-06-18, 07:00 pm (rev. 1 by  Gericom on 05-06-18, 07:01 pm)
Shyguy


Karma: 160
Posts: 72/90
Since: 07-10-12
@Dirbaio I can soon supply you with more information I have gathered and an ida pro database of the firmware. (I'm currently on a holiday) The only thing that is basically left to explore is if video capture over usb is possible with is-nitro-emulator too. The firmware in the video fpga is the same one as used for is-nitro-capture, and there is even some code that seems to be for taking a screenshot, but it seems to hang in an endless loop waiting for the capture status bit to become 0, but that never happens. This causes the device to hang.

Very nice teardown you did there by the way. I only had such pics of the is-nitro-capture until now.

Also, you probably saw I invited you to a repo where some code resulting from my research is stored.

As for the wired-wifi, I managed to write vhdl code to receive and send packets over it. It's basically just baseband wifi signals.
Posted on 05-06-18, 09:40 pm
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9979
Posts: 4416/4456
Since: 06-08-11
Oh hey Gericom, long time no see!

Yeah, I got the invite to the repo. Pretty interesting stuff you got there! USB capture would be extremely interesting too.

I haven't got around to reversing the NEC, so do share the IDB!

Also I've been working on reversing Nintendo's debug rom: https://nsmbhd.net/file/uDGX4P4fxbB7TvrJ/debugrom2.idb

It's surprising that all the breakpoint and step by step stuff seems implemented there, in software! :o I'd have expected it's done with JTAG... What's the JTAG used for then?

The debugrom seems to be using the GBA RAM at 0x09f80000 for communication: when FIQ is triggered, it does a bunch of stuff and then loops reading commands from there. You can read/write to that memory via USB, but ISND doesn't seem to do that aside from the initial write, and uses special commands. Is the NEC that then writes to that memory? Do you have any info on this?

Also interesting: Mine is identical to yours, except the timestamp at 0x02700218 (the PC tool puts it there so the arm7 can sync the DS's clock on boot!)
Posted on 05-06-18, 09:44 pm
Super Mario
( ͡° ͜ʖ ͡°)

Karma: 9979
Posts: 4417/4456
Since: 06-08-11
Also I've been working on implementing a Python driver: https://github.com/Dirbaio/NitroDriver (probably you already saw).

I'm using python/pyusb because I want it to work on Linux Also, I want to write a debugrom from scratch so we don't run into copyright issues, and maybe also add extra cool features (?)
Posted on 05-07-18, 06:31 am (rev. 3 by  Gericom on 05-07-18, 07:35 am)
Shyguy


Karma: 160
Posts: 73/90
Since: 07-10-12
Posted by Dirbaio
Oh hey Gericom, long time no see!

Yeah, I got the invite to the repo. Pretty interesting stuff you got there! USB capture would be extremely interesting too.

I haven't got around to reversing the NEC, so do share the IDB!

Also I've been working on reversing Nintendo's debug rom: https://nsmbhd.net/file/uDGX4P4fxbB7TvrJ/debugrom2.idb

It's surprising that all the breakpoint and step by step stuff seems implemented there, in software! :o I'd have expected it's done with JTAG... What's the JTAG used for then?

The debugrom seems to be using the GBA RAM at 0x09f80000 for communication: when FIQ is triggered, it does a bunch of stuff and then loops reading commands from there. You can read/write to that memory via USB, but ISND doesn't seem to do that aside from the initial write, and uses special commands. Is the NEC that then writes to that memory? Do you have any info on this?

Also interesting: Mine is identical to yours, except the timestamp at 0x02700218 (the PC tool puts it there so the arm7 can sync the DS's clock on boot!)

I'll be back home on Sunday or so, so I'll get you the database then and my document on the internal registers. I also have a database of the is-nitro-capture firmware. From what I know, the capture data should be transferred to the usb over the usb controller high speed bus, which would make sense, since the nec is not that fast and the capture data cannot be found anywhere in memory.

The jtag is used for hardware breakpoints (read/write address). My guess is that they already had implemented most of the software debugging stuff for gba already (no jtag there), so that just adapted it for arm9.

The debugram is 256 kb of sram which can be read/written at any time, using usb commands and also by the nec chip when sending certain commands, for example for reading ds memory or setting a software breakpoint (both of which thus only work while in break mode). You can remap it to a different address by the way. And it's also possible to remove the agb bus protection that disallows retail gba cartridges to run normally (because part of the address space is not passed through).

As for the timestamp, I did not identify the command yet to set the rtc.

About the driver, there actually is a properly signed version of it, which comes with the is-ctr. This is because is-nitro-writer is still used (although sightly altered) for 3ds stuff.

Posted by Dirbaio
Also I've been working on implementing a Python driver: https://github.com/Dirbaio/NitroDriver (probably you already saw).

I'm using python/pyusb because I want it to work on Linux Also, I want to write a debugrom from scratch so we don't run into copyright issues, and maybe also add extra cool features (?)


I'm not a big fan of python, but the more research the better

Codewarrior uses a different monitor rom by the way.
Posted on 05-11-18, 03:01 am
Shyguy
bbomb64

Karma: 170
Posts: 39/85
Since: 12-17-17
Damn. That Nitro looks like something straight out of the late 70's. I'd want one of these just for my desk.

Also, the SNES uses the same AV port I think.
Pages: 12345 »