fagotero
28/01/2005, 20:13
Os paso la misma noticia que he puesto en Ndsspain (http://www.ndsspain.com)
Darkfader, ha conseguido dumpear el Super Mario 64 DS tras varios intentos fallidos.
Esperemos que con esto, la scene descubra cosas nuevas, y puedan aprender algo más en el tema de programar para la NDS y para ver cómo trabaja la NDS con un juego completo.
Hilo de la noticia (http://http://forum.gbadev.org/viewtopic.php?t=4923)
Últimos comentarios de la web de Darkfader:
I have dumped "Metroid Prime Hunters : First Hunt" (the demo) and "Super Mario 64 DS" by altering the command stream to the cartridge. And now I can also access the cartridge from within the DS itself.
For data starting from offset 0x8000, the original data can then be retrieved by XORring the data of the original data stream and the result of the modified one.
I dumped offset 0x4000 to 0x8000 by copying the RAM contents to the savegame RAM of a GBA cartridge.
The unencrypted header is supposed to be at offset 0x0000 to 0x4000 and can be retrieved very easily.
The header has more nifty bits, like automatic continue at the bootscreen.
I have stopped the RTC and found out that the encryption is seeded by the time and the 4-character gamecode.
When the gamecode is altered in the header, the game does not start. This could mean the encryption logic is based on it.
I'm very close in finding out how the XOR stream for the cartridge is generated by initializing it with a single bit turned on.
The lower part of the ARM7 BIOS is read-protected and it probably contains code to load the firmware into memory and the encryption seed logic.
Games might be playable from GBA cartridge with some code patching, but it's also possible to put the DS slot in unencrypted mode.
I might know some trick make the DS bootable without GBA cartridge. Still, a pass-through would be needed until encryption is found out.
Saludos!
Darkfader, ha conseguido dumpear el Super Mario 64 DS tras varios intentos fallidos.
Esperemos que con esto, la scene descubra cosas nuevas, y puedan aprender algo más en el tema de programar para la NDS y para ver cómo trabaja la NDS con un juego completo.
Hilo de la noticia (http://http://forum.gbadev.org/viewtopic.php?t=4923)
Últimos comentarios de la web de Darkfader:
I have dumped "Metroid Prime Hunters : First Hunt" (the demo) and "Super Mario 64 DS" by altering the command stream to the cartridge. And now I can also access the cartridge from within the DS itself.
For data starting from offset 0x8000, the original data can then be retrieved by XORring the data of the original data stream and the result of the modified one.
I dumped offset 0x4000 to 0x8000 by copying the RAM contents to the savegame RAM of a GBA cartridge.
The unencrypted header is supposed to be at offset 0x0000 to 0x4000 and can be retrieved very easily.
The header has more nifty bits, like automatic continue at the bootscreen.
I have stopped the RTC and found out that the encryption is seeded by the time and the 4-character gamecode.
When the gamecode is altered in the header, the game does not start. This could mean the encryption logic is based on it.
I'm very close in finding out how the XOR stream for the cartridge is generated by initializing it with a single bit turned on.
The lower part of the ARM7 BIOS is read-protected and it probably contains code to load the firmware into memory and the encryption seed logic.
Games might be playable from GBA cartridge with some code patching, but it's also possible to put the DS slot in unencrypted mode.
I might know some trick make the DS bootable without GBA cartridge. Still, a pass-through would be needed until encryption is found out.
Saludos!