Search

[Noda]

I verified this firmware dump, it's ok. Now I need the xor key to decrypt it :/

seems that DF have say it's very simple to find it, if find the firware start une the update bin i'll find the key

I'll have a look at this later. Then, it's very simple to modify the firware to autoboot in NDS mode with the SC (it's just a 4-bytes header modification)

[Noda]

Got the key!!! now i'll do some tests, then will follow the download link for SCSD Firmware patched! (and you'll never bother again pressing those button again at startup if you use flashme!)

[Noda]

NEED SOME HELP!

I modified the update binary of SCSD to bypass the check in order to write my modified firmware, but my bypass modifications seems to have broken the flash code and now I have a dead SC!! and DF recovery tool doesn't detect my SC (probably of bad firwmare code)!!!

how to force the detection of my SC?

EDIt: thanks to DF it's now working

[cory1492]

Did DarkFader explain to you why your dump was not good? If you look at it in a hex editor you will see that 0x0 and 0x400 are mirrors. I can get a good dump with the SC itself using the FAT lib (I beleive unlock code 0x4 instead of 0x3) but it is still crypted/xored aside from the GBA header and the first chunk of code that decides if its started in GBA or NDS mode (as far as I can tell).

Once you have a dump, you can easily tell if its good by simply renaming the 512k file to something like "test.nds" or "test.gba" and running it on your supercard: this is what I had to do when I tried running DF fixer from the SD card after the 4byte header patch to PASS, since I couldnt get it to run in GBA mode as the GBA header was corrupt with the wrong checksum (1byte); so I found that there needs to be 5bytes patched in the GBA header for it to work.

I sent off the moonshell 0.8 sources for you too Noda If you want the DS source to my SCSD firmware dumper, your welcome to it although I had it wipe my SD card once it should be good now... all it really would need is the memory dumped xored appropriately before writing to the SD, I'd guess. Feeling too lazy to run the clean and dumped 1.52 firmwares through xor right now to see what happens.

[pg65]

Noda how did you get the SC to get detected? I have one that I think the f/w was erased and have used DF tool but the same thing was happening to me it is not detected.

[Noda]

Yeah, DF said that you need some read sequence to achieve a good dump. I have to dump a XORed 1.52 firm to get the XOR key, and decrypt the firmware from last update (it's stored fully XORed in file sd_154.bin, I found where)

Also, for the firmware recovery thing DF sent me a specially build of flashmp where I ccan override the SC detection. If you want me to send this version to you drop me an PM.

I've already made the tools to get the 64k XOR key, I now just need the 1.52 firmware XORed and it will be fine

[Noda]

Finally I got the right XOR key and decrypted the 1.54 firmware from the update .bin, pateched it (it works great when I run the .bin from my SC, nice way to test ) but I replaced it in flashmp and flashed it, got 2 white screens at start (it correct 1 byte for the complement in the header)

[Noda]

Argh! seems there's a bug in my xor programs that coruupts some bytes here and there, still searching it that would explains the white screens

EDIT: it was not a bug in my programs, but a vice of the firware encryption!! the first 8k of the firwmare use 2 differents 4k XOR keys, and the rest use another 4k XOR key! now that I've figured out the scheme, maybe it will work

EDIt2: no way, the 3rd XOR key has changed since 1.52, need a good dump (or the program to dump it as I have a parralel linker)

[Noda]

FINALLY I DID IT!! it works flawlessly now

The things that made me found 3 XOR keys is that DF dumped the 1.52 and no XORed it (like me) so he has FF where it should have some part of the XOR key. Then I cut some part without FF, cracked the XOR key, did it with another part, verified it. And got the good XOR key to decrypt the 1.54 update The rest was easy: patch header and correct complement, re-inject the firmware into the DF flashmp and so

I don't know if the XOR key is the same with the CF version (surely).

But now I don't want to release it with the flashmp thing, because I used a modified flashmp bin which override SC detection for flashing, and don't want n00bs getting it and crying "i destroyed my SC i've pushed right instead of up and it flash the CF version instead of SD what to do no please help me!!!!" :p

I'll try to make a good hack (working one) of the official update binary so it would be much simpler (and safer) to flash my modified firmware

[Nphinity]

What about making a patch like romman does.  One for the SD, and one for the CF?

[zektor]

So this patch will automatically boot DS mode without the ABXY keys? But, what good would this be if you wanted to play GBA games? If you automatically boot in DS mode when the SC is inserted and boot a GBA game, you would have to deal with the bottom (or top, depending on your config) being a plain white screen. That is something I wouldn't want at all. I guess if you are only playing DS games it would be somewhat more convenient, but that would not work for me.

Unless of course I am missing something here?

[Nphinity]

yah... basically that is what would happen.. however.. I beleive ther eis a key sequence to force it to boot in normal mode, so instead of havint o hit buttons to go into NDS mode.. you would need it for GBA mode.

Hopefully some day someone will figure out how to turn off the extra screen, and make life even easier..


May big hope is some day I'll turn onmy DS to a nice little OS that is totally capable of computer like activivities, and that I can launch all of my software from, and manage files and memory and that would be soo kuhl...

[Noda]

If you hold select at start it boots on GBA mode.

And I passed some hours yesterday reverse-enginnering the patcher prgram of romman and hacked it to pass the verification (it do some CRC checks) to use it with my modified firmware but I don't know why, during flashing it acts strangely and finally doesn't work (and destroy firmware :/)

The only safe way to use this patch is with Darkfader's flashmp utility, I wanted to make a special build just to patch SC's firmware but I can't make devkitPro runs conrrectly, if someone could help me with that...

[cory1492]

Check your PM, if you toss me the source I can tell you which versions of the toolchain it needs to compile... let me know the problem you are having with your toolchain as well, I might be able to help there too (one thing I have experience in is getting the blasted toolchain to run right for working source)

Yeah, DF said that you need some read sequence to achieve a good dump.

So how did you wind up reading the firmware then? I dont know the sequence if its not the simple unlock from the FAT lib... nm, you found the loc in the bin utils... I cant see it though, even in disassembly...

[Noda]

I didn't dumped the firmware, I extracted it from latest update .bin and decrypted it by the way i'll look my mp