Dirbaio |
Posted on 05-02-18, 10:40 pm (rev. 3 by Dirbaio on 05-15-21, 12:35 am)
|
Super Mario
( ͡° ͜ʖ ͡°) Karma: 10061 Posts: 4407/4458 Since: 06-08-11 |
I recently came across an auction from a bankrupt Spanish video game development company. They had tons of cool rare development hardware, among it Nintendo DS development ones! Of course I had to get some
I've been playing with them, trying to get them working and do useful stuff. I thought I should document publicly what they do, instead of just shelving them away as collectibles like most people seem to do. It's really cool because they have very interesting ROM hacking applications Rewritable flash cardsThese act like regular Nintendo DS game cards, except they can have ROMs written and rewritten to them, using the IS-NITRO-EMULATOR or the IS-NITRO-WRITER. If you open the top half, they have a "sub-card" inside, which is the backup memory (for saved game data). They're swappable because there are several types and sizes of backup memory (EEPROM and Flash), and the game developers needed to test with cards with the right type of backup memory. The main cards and the sub cards were sold to devs separately so they could choose the backup memory type and swap it themselves. Having the right sub card is important if you want to run a commercial ROM that needs a particular backup memory type and size. IS-NITRO-EMULATORThis is the "main" Nintendo DS development kit. Devs used this to test and debug their games. You can boot a ROM in it and then debug it, put breakpoints in the ASM code, view and edit the RAM, etc. The name "EMULATOR" comes from the fact it emulates the DS game card: it has extra hardware that makes the NDS CPU believe it's reading stuff from a game card, but it's in fact reading from some special RAM inside it that can be written to using its PC software. Interestingly the backup memory is passed through to the real card plugged in to the SLOT-1. This is probably because the entire gamecard SPI bus is passed through, probably so devs can use real cards that have extra fancy hardware in the SPI bus like some games do. Overview of the thing. Front panel has 3 LEDs: "SYSTEM1", "SYSTEM2" and "POWER". A cable comes out of it to a regular-looking DS, except its SLOT-1 and SLOT-2 are unusable (SLOT1 has the cable, SLOT2 is glued shut). - SYSTEM1: Indicates SLOT-1 is on - SYSTEM2: Indicates SLOT-2 is on - POWER: Power, duh. The top has the SLOT-1 and SLOT-2. Back panel has: - Power switch - Power input (12V DC, it uses the same power connector and adapter as the GameCube) - DIP switches - USB - 2 video outs (same video connector as GameCube). They only work if the IS-NITRO-EMULATOR has the "Video" option. - "Wireless" wired ethernet jack. You can connect two IS-NITRO-EMULATORs with an ethernet cable to simulate wifi connectivity between them. IS-NITRO-EMULATORs that have the Wireless option can use real wifi, and toggle between them with a DIP switch. The "wired wireless" is interesting, and is a recurring theme in Nintendo devkits. I guess it's to prevent interference/saturation if you have 100 developers in a single office with 100 of these, all using wifi at the same time to test their games. Wii and WiiU devkits also have wired coaxial cables between the devkit and the remotes, for example. Options Devs could buy these with different optional features, at different prices. They have a sticker on the bottom with the purchased options. - "USG": attached controller is DS lite, not old DS "phat". - Video: Allows using video out - Wireless: Can use real wireless and not "wired wireless". The ones that have this have this black flat protrusion at the top, which contains the wifi antenna (If it was inside the blue box it wouldn't work due to it working as a Faraday cage) DIP switches There are 8 DIP switches at the back. This is what they do:
Power on Plug it in, power it on. It boots to the regular DS firmware menu like a regular DS. You can pictochat and Download Play and all. Putting a game card in doesn't work (firmware still shows "no DS card inserted"). This is because it doesn't read from the real plugged in game card, but from the emulated one. You need the PC software to write a ROM to the emulated game card and actually run something in it. Installing the software on Windows 10 Since it's copyrighted, same rules apply as posting ROMs, so I won't post a link. But finding it is easy if you know how to google . It's tricky to get working on Windows 10 because it needs a special driver that's not digitally signed. You have to disable "driver signature enforcement" this way: - Click the Start Start menu and select Settings. - Click Update and Security. - Click on Recovery. - Click Restart now under Advanced Startup. - Click Troubleshoot. - Click Advanced options. - Click Startup Settings. - Click on Restart. - On the Startup Settings screen press 7 or F7 to disable driver signature enforcement. Once this is done, you're ready to install and use the software: - Right-click installer exe, go to Properties - Compatibility - Run in Windows XP compatibility mode - Run the installer - Follow instructions. You'll get prompted two times to install drivers, you have to click "Install anyway". - Done! This is how the PC software looks like. This is when hitting a breakpoint and doing some single stepping. Can you recognize what code is this?? Running a ROM Commercial ROMs have to be encrypted for this to work! Pretty much all ROM you'll find out there are already decrypted for you, so you need to encrypt them back. The best way to do this is with ndstool from devkitPro. ("endrypts advanced", the other tool around for this, seems to work okay for running ROMs but not for writing them to dev cards, so I recommend you use ndstool.) Open a terminal, then run: ndstool -se my_rom_file.nds Homebrew ROMs don't care if they're encrypted or not because they don't use the ARM9 binary at 0x02000000 - 0x02000800, which is the region affected by encryption. - Go to File -> Load file - Select "SRL" in the left list - Select the .nds ROM file (you have to select "All Files", alternatively rename your ROM to *.srl) - Check "Execute both processors" and "Do hardware reset" - Go! If your ROM requires backup hardware (game save info), you will need to insert a dev card with the right type of save memory (EEPROM vs flash, and right size). From the PC software you can then click the toolbar button "Turning the power on/off of the DS card slot", which will turn on SLOT-1. "SYSTEM1" LED should turn on to indicate SLOT-1 is on. Writing a ROM to a dev flash cards You can write a ROM in a dev flash card, which then works in regular DSs like a real Nintendo DS commercial game! You can write your ROM hack to it, for example! This is the closest you can get to having your ROM hack in real DS game cards. - Insert a dev flash card in SLOT1. - Run the ROM (see above) - Go to Tools -> DS Flash Card - Click Identify, then Start. - Wait a loooooooong time - Check and pray the card works on a regular DS. Getting this to work is fiddly, I'm still figuring out what works and what doesn't. Sometimes changing the game code to "NTRJ" makes it work, especially for homebrew that has "####" as game code, which the DS firmware doesn't seem to like. If you edit the ROM header don't forget to fix the header CRC. You can do so with "ndstool -f". ==================== Coming soon: Teardown, open source Python driver to load ROMs, and more nice hardware! |
TruelyJohn64 |
Posted on 05-02-18, 11:17 pm
|
(Words)
Karma: 755 Posts: 177/265 Since: 01-03-16 |
No way, this is amazing.
Rom hacking has truly come full circle now, I've never seen so much information for this kind of stuff so this is an incredible find. So did those Flash Cards come with Camp Rock or where they completely wiped clean? I feel like we'd be at a loss if it didn't come with it. _________________________ "I strikingly thought you would know how but it clearly seems you have no knowledge of hacking" - MiiU 2017 |
Dirbaio |
Posted on 05-02-18, 11:23 pm
|
Super Mario
( ͡° ͜ʖ ͡°) Karma: 10061 Posts: 4408/4458 Since: 06-08-11 |
Some came with prototype/unfinished games, yes. Some others came with nothing.
I've dumped them, but I'm not sure how/if to share though because copyright stuff. I've also got DSi gamecards and debugger units, some contain protos too but they can't seem to be dumpable with DS dumping tools, help welcome. |
TruelyJohn64 |
Posted on 05-02-18, 11:47 pm
|
(Words)
Karma: 755 Posts: 178/265 Since: 01-03-16 |
I would think protos are in the grey area for copyright but I wouldn't know either.
As for the DSi ones, I would believe that using Decrypt9 and TWLSaveTool on a 3DS with CFW could work...? _________________________ "I strikingly thought you would know how but it clearly seems you have no knowledge of hacking" - MiiU 2017 |
Dirbaio |
Posted on 05-02-18, 11:58 pm
|
Super Mario
( ͡° ͜ʖ ͡°) Karma: 10061 Posts: 4409/4458 Since: 06-08-11 |
Posted by TruelyJohn64 As for the DSi ones, I would believe that using Decrypt9 and TWLSaveTool on a 3DS with CFW could work...? Yeah... I'm trying to get hands on a 3DS to do that as I don't have one myself Interestingly some of the DSi cards contain DS software (they work if you boot them on a regular DS) so they should be dumpable on a DS, but it doesn't work... |
Dirbaio |
Posted on 05-02-18, 11:59 pm
|
Super Mario
( ͡° ͜ʖ ͡°) Karma: 10061 Posts: 4410/4458 Since: 06-08-11 |
IS-NITRO-EMULATOR teardownLet's crack it open to see what's inside! This teardown is of an IS-NITRO-EMULATOR of the DS phat variant, without wifi or video options. Opening it up The thing opens up easily, removing screws on the sides and the back. Removing two screws at the bottom side allows you to remove the front plate. Then, removing more screws allows you to pop put the entire stack of boards. There are 4 main boards on this thing stacked together which is quite a lot! Two boards have heatsinks for the power supply transistors, with grey gooey thermal pads that contact the bottom of the case for better thermal dissipation. There are 4 boards. From front to back they are: - DS CPU board - Video board - Main CPU board - Card emu board They all have big connectors between them that join when sandwitched together, plus there's a huge flat colorful cable between the DS CPU board and the card emu board at the side. NDS CPU board This seems to be a special bigger version of the full Nintendo DS hardware. It has the DS CPU chip in it, and the conenction to the controller. The sub-board has space for the Wifi chip, which is not there because this unit does not have the wifi option. Video board This board seems to be for handling the video out. It has one nice big FPGA Interestingly it's fully populated even if this unit doesn't have the video option, which makes me wonder if it's simply a software restriction. In that case it could theoretically be possible to enable it via firmware hacks. Control CPU board This board has a NEC D703103AGJ CPU, which seems to be the central brain of the system. - it controls the USB communications (chip on bottom left is an USB controller) - Status LEDs - DIP switches - Main power supply, with the power switch. It has a serial port at the top white connector. Baud rate 115200, 8 bits, no parity bit, 1 stop bit. It spits out debug information when booting with DIP switch 1 set to ON. Typing into it seems to do nothing (it's not an interactive console, aww...). It is 3.3v. I don't know if it's 5V tolerant, so be VERY careful what serial adapter you use here. I don't know what the connector on the left is. Maybe JTAG? Gamecard emulator board This board does all the gamecard emulation with two huge FPGAs. The 256MB RAM stick is where the emulated ROM image is stored when you load it from the PC software. Interestingly, it's the same form factor as laptop RAM (SODIMM), but it's SDRAM, unlike regular computer RAM like DDR3 or DDR4. It has 1 relay for the GBA slot and 2 relays in the NDS slot sub-board (the black tall rectangles). These are the things that audibly "CLICK!" when you turn on or off the slot1/2 power from the software! DS controller This is the insides of the DS "controller". It's 100% dumb, it has no CPU, it's not a real DS! It receives the screens video from the huge cable and sends back the buttons and touch input. The whole cable and the connection seems to be very well shielded from EMI (with the copper sheet you see) TODO: Post pics of the NDS case. It is a regular DS case, with some extra ad-hoc modifications to fit the PCB at the top when the cable comes out. |
KTRMAmbiance |
Posted on 05-03-18, 04:40 pm
|
Buzzy Beetle
Karma: 935 Posts: 224/396 Since: 11-20-15 |
Posted by Dirbaio Some came with prototype/unfinished games, yes. Some others came with nothing. I've dumped them, but I'm not sure how/if to share though because copyright stuff. I've also got DSi gamecards and debugger units, some contain protos too but they can't seem to be dumpable with DS dumping tools, help welcome. Were there any other games? If so, which games were there? _________________________ |
Skylander |
Posted on 05-03-18, 07:18 pm
|
Giant Paratroopa
Cream Cheese King Karma: 2150 Posts: 50/1379 Since: 04-24-18 |
I like seeing this kind of stuff, especially when this stuff rarely can be found at thrift stores, old game stores like disc replay!
_________________________ Discord Server 1 - Discord Server 2 - Youtube Channel |
LakituGames |
Posted on 05-04-18, 08:05 pm
|
Goomba
Karma: 120 Posts: 29/31 Since: 03-27-14 |
Could this be used to make better software emulators? O•O
Or am I stupid and that's not how this works |
Dirbaio |
Posted on 05-05-18, 12:42 am
|
Super Mario
( ͡° ͜ʖ ͡°) Karma: 10061 Posts: 4411/4458 Since: 06-08-11 |
Posted by Ambiance 69 Were there any other games? If so, which games were there? Hello Flowerz!, Imagine: Fashion Designer, Imagine: Cooking Something Something. The games are pretty meh. The gadgets came from this company's bankruptcy: https://www.elconfidencial.com/tecnologia/2016-07-06/virtual-toys-videojuegos-ere-despidos_1227682/ (news article in spanish) Posted by LakituGames Could this be used to make better software emulators? O•O Well the "emulator" name is misleading, it's an actual hardware DS, not emulated. The "emulator" name refers to the fact that it emulates the slot-1 game card. It's not directly useful for coding DS emulators. ----- By the way, I'm selling one IS-NITRO-EMULATOR. 230 EUR + shipping, PM me for details. |
SGC |
Posted on 05-05-18, 02:40 pm (rev. 10 by SGC on 05-05-18, 02:55 pm)
|
Red Paragoomba
Karma: 198 Posts: 31/51 Since: 01-21-16 |
I have an IS Nitro Emulator as well, I use it to test my MKDS CTs directly from my PC. MKDS Hacking & Modding Server:They're very useful for figuring out crashes, and the like. My model is the DS Lite version without wireless. Also, Gericom tested the video output a few months back. It is indeed a software restriction, and he made a program that activates it. All units have this feature, even if they claim not to. It's kind of weird that Nintendo put something like that behind a 400 dollar pay wall. It's also a bit obvious it's a software restriction, since if you plugin an AV Cable into a unit without video output enabled, such as my own, you can hear sound output from the television, as Geri, and I found out when he asked me to test his program with him, since he didn't have any GC AV Cables to use with his own unit. I got my unit off of ebay for 180 bucks with the help of a friend. I bought my unit from hard4games back in December. Although, my own unit seem as though it had never been used before, as if it were simply taken out of the packaging it first came in, since they were no scuffs, or scratches on the controller at all, and what seems to be a temporary cover on the bottom screen meant to be taken off after the unit has been taken out of it's original packaging. _________________________ https://discord.gg/KhETqr7 |
RicBent |
Posted on 05-05-18, 03:40 pm
|
Mariomaster
Karma: 8553 Posts: 1194/1681 Since: 06-09-12 |
Oh this is interesting. I will soon have one of these too (DS Lite/wireless/no video).
I thought there was an optional 4th board in the unit that is responsible for video output. Would be great if you could link me the tools or some more information about unlocking the thing Nintendo actually now only has a single type of 3ds devkit and all the different features are unlocked via buying different software licenses. _________________________ GitHub - Kuribo64 - YouTube |
SGC |
Posted on 05-05-18, 04:18 pm (rev. 3 by SGC on 05-05-18, 05:02 pm)
|
Red Paragoomba
Karma: 198 Posts: 32/51 Since: 01-21-16 |
I'll have to ask Gericom if I can share the video enabler, but I'll see what I can do. MKDS Hacking & Modding Server:Gericom already researched a big chunk of the firmware too, and documented some of the internal registers, as well. He also figured out how the wired Wi-Fi works. Alright, here's a link to the ISNE video enable I got permission to share it from Gericom: https://cdn.discordapp.com/attachments/198838764900974592/411538663042711562/Debug.zip https://cdn.discordapp.com/attachments/198838764900974592/411544282978320386/Debug.zip To use it, just double click the program while the ISNE is running, what you see on the TV may differ depending on if the AV cable is pluged into AV Out 1, or AV out 2. Geri made multiple versions of the program that show different screen configuration on either of the out puts. The one in the first link in particular out put the Top, and bottom screen out of AV Out 1, forgot what it out puts with AV Out 2. The second on out puts on the top screen on both AV outs, iirc. _________________________ https://discord.gg/KhETqr7 |
Dirbaio |
Posted on 05-06-18, 03:48 am
|
Super Mario
( ͡° ͜ʖ ͡°) Karma: 10061 Posts: 4414/4458 Since: 06-08-11 |
Posted by SGC I got my unit off of ebay for 180 bucks with the help of a friend. I bought my unit from hard4games back in December. Although, my own unit seem as though it had never been used before, as if it were simply taken out of the packaging it first came in, since they were no scuffs, or scratches on the controller at all, and what seems to be a temporary cover on the bottom screen meant to be taken off after the unit has been taken out of it's original packaging. Oh my god, 180 bucks for a shiny new one is an awesome deal, lucky you! All the ones I have are very used. Minor scratches and dirtiness, but most are in good condition. I got a DS phat one that had the broken hinge. it's the one in the teardown pics actually. I figured I might disassemble that one in case I broke it, but thankfully disassembly and reassembly is quite easy and it worked just as well when reassembling it. I tried to swap the case with a regular DS phat, but they made minor modifications to fit the PCB and huge cable and connector. (Note to sel: post the pics) Posted by RicBent Nintendo actually now only has a single type of 3ds devkit and all the different features are unlocked via buying different software licenses. I'm not so sure about that, the one I got seem to be missing the video board entirely, the back has holes covered with a plate. Pic of the back Posted by SGC Alright, here's a link to the ISNE video enable I got permission to share it from Gericom: https://cdn.discordapp.com/attachments/198838764900974592/411538663042711562/Debug.zip https://cdn.discordapp.com/attachments/198838764900974592/411544282978320386/Debug.zip Oh my god, this is amazing! I gotta try this out asap, I need to get GC video cables tho |
RicBent |
Posted on 05-06-18, 09:54 am
|
Mariomaster
Karma: 8553 Posts: 1198/1681 Since: 06-09-12 |
Gericom |
Posted on 05-06-18, 07:00 pm (rev. 1 by Gericom on 05-06-18, 07:01 pm)
|
Shyguy
Karma: 160 Posts: 72/90 Since: 07-10-12 |
|
Dirbaio |
Posted on 05-06-18, 09:40 pm
|
Super Mario
( ͡° ͜ʖ ͡°) Karma: 10061 Posts: 4416/4458 Since: 06-08-11 |
Oh hey Gericom, long time no see!
Yeah, I got the invite to the repo. Pretty interesting stuff you got there! USB capture would be extremely interesting too. I haven't got around to reversing the NEC, so do share the IDB! Also I've been working on reversing Nintendo's debug rom: https://nsmbhd.net/file/uDGX4P4fxbB7TvrJ/debugrom2.idb It's surprising that all the breakpoint and step by step stuff seems implemented there, in software! :o I'd have expected it's done with JTAG... What's the JTAG used for then? The debugrom seems to be using the GBA RAM at 0x09f80000 for communication: when FIQ is triggered, it does a bunch of stuff and then loops reading commands from there. You can read/write to that memory via USB, but ISND doesn't seem to do that aside from the initial write, and uses special commands. Is the NEC that then writes to that memory? Do you have any info on this? Also interesting: Mine is identical to yours, except the timestamp at 0x02700218 (the PC tool puts it there so the arm7 can sync the DS's clock on boot!) |
Dirbaio |
Posted on 05-06-18, 09:44 pm
|
Super Mario
( ͡° ͜ʖ ͡°) Karma: 10061 Posts: 4417/4458 Since: 06-08-11 |
Also I've been working on implementing a Python driver: https://github.com/Dirbaio/NitroDriver (probably you already saw).
I'm using python/pyusb because I want it to work on Linux Also, I want to write a debugrom from scratch so we don't run into copyright issues, and maybe also add extra cool features (?) |
Gericom |
Posted on 05-07-18, 06:31 am (rev. 3 by Gericom on 05-07-18, 07:35 am)
|
Shyguy
Karma: 160 Posts: 73/90 Since: 07-10-12 |
|
bbomb64 |
Posted on 05-11-18, 03:01 am
|
Shyguy
bbomb64 Karma: 170 Posts: 39/86 Since: 12-17-17 |
Damn. That Nitro looks like something straight out of the late 70's. I'd want one of these just for my desk.
Also, the SNES uses the same AV port I think. |